MHTML Arbitrary Code Execution in Microsoft Outlook Express

A vulnerability in Microsoft Outlook Express 6.0 and 5.5 can result in the execution of arbitrary code on the vulnerable system. This vulnerability is a result of flaw in the Mime Encapsulation of Aggregate HTML (MHTML) URL Handler. To exploit this vulnerability, an attacker can construct a URL and either host it on a Web site or send it by email. In the Web-based scenario, when a user clicks the site-hosted URL, the attacker can then read or launch files already present on the local machine.

VENDOR RESPONSE

Microsoft has released Security Bulletin MS03-014, "Cumulative Patch for Outlook Express (330994)," to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.